Complex Freemodel Backdoor Explained
Let’s get right into it. We have a part. With a script and a blank ascii character name. Inside, it claims
— This an script of ROBLOX Studio. Do not delete it, this script secures your game from exploiters.
— Thanks.
This is enough to convice beginners. As usual, the require scripts are buried in this long script with a short note at the top.
It loads two modules: “mymodule2" and “mymodule”; Both published by “jerkcrybaby”
The first mymodule2 is the widely used obfuscated “CheckMeIn” module. For those of you who don’t know what CheckMeIn is, It is a service with GUIs that allowed hotels to assign rooms. This module is a fake. The “mymodule”, is more understandable.
Inside of this module, there is a more complex script.
Yep. It uses GetProductInfo and string.match to get every number inside of the description of a product, and uses them using the tonumber function!
Analyzing this module: 5108960396, we get ANOTHER module from jerkcrybaby! And guess what, Jpeg7 has jerkcrybaby in his friends!
This new module tries to obfuscate another module.
Some testing revealed that the backdoor printed “Loaded!” and we just found the snippet buried in tons of requires and getfenvs one inside another.
The script checks for game Id so It doesn’t run on specific games and then proceeds to use getfenv() and string.reverse to hide functions.
Strangely, the 3 games it checks for are Adopt Me, Bloxburg and Royale High.
Gladly, it was pretty easy reversing everything using print()
Going inside the Last string print, we get another module Id. Made by ModelBoyJoeXD, that this time, does not look to have ties with jerk.
Oh no. Inside the module, there is a script named halal. It uses requires and leads to another module made by ModelBoyJoeXD
Inside, it looks like a basic marketplace annoying virus, but there is another require in it. Let’s get inside that module. The module has been published buy builderx1337, which right now is moderated.
The script checks for a gamepass, and if it is owned, it’ll run the :admin function on a module. The module doesn’t have a name.
It simply gives a sign to a player.
Here’s what it looks like.
The script containing the require() of the marketplace script is located inside a folder, which is put under the workspace’s camera under a blank name.
Very confused?
This isn’t a dead end, but rather a learning opportunity, we were determined to trace everything to the last script remaining. Or did we? The last script remaining is… THAT CHECKMEIN OBFUSCATED FILE!
Unfortunately right now it is full on obfuscated. Don’t think it’s the actual CheckMeIn file, why would a function in it called antibackdoor be fired?
If it is the actual CheckMeIn script, Im suriprised. This is their page: https://checkmein.cloud/